Hacking, Privacy Laws: Time To Reboot

Recent cases highlight serious flaws in current privacy and cyber abuse legislation, allowing prosecutors to wield a hammer when a stick will do.

What's more important: protecting civil liberties, or prosecuting people who misbehave?

Unfortunately, two cases have recently highlighted serious shortcomings in how our public officials pursue both of those goals, suggesting that the only viable solution is for Congress to overhaul existing privacy and computer-abuse laws.

For starters, the Computer Fraud and Abuse Act (CFAA) gives prosecutors such wide discretion in pursuing "computer crimes" that they can threaten minor offenders with excessive jail time, thus creating the possibility that people have been coerced into pleading guilty. That's why, on the civil rights front, numerous digital rights groups and privacy lawyers have been calling on Congress to rein in the CFAA, including its criminalization of the nebulous concept of "unauthorized access."

Thanks to the CFAA, prosecutors can wield a hammer when a stick -- at most -- is all they need. For example, Internet activist Aaron Swartz, who allegedly used the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database, faced 13 felony charges and a maximum jail sentence of at least 35 years in prison. Prosecutors charged Swartz despite JSTOR officials saying in 2011 that they'd dropped civil charges against him, noting that he'd apologized and promised that he'd returned all copies of the data he downloaded. Arguably, the case should have been closed -- and JSTOR officials urged prosecutors to do so. They declined.

Swartz's efforts weren't in pursuit of illicit financial gain. He wasn't reselling academic papers or stealing users' identities. Instead, he was campaigning for free access to information that was funded with taxpayer dollars. Regardless, he was hit with felony violations -- including wire fraud, computer fraud, "recklessly damaging" a computer, as well as unauthorized access -- in part for saying he'd wanted to publish the information for free. Yet he never did so.

The Swartz case shows that CFAA is far too broad, and prosecutors can't be trusted -- or perhaps expected -- to not use every prosecutorial tool available to gain a conviction or plea bargain. Critics of Carmen Ortiz, the lead federal prosecutor in Swartz's case, have accused her of bullying, given the threat of massive jail time that Swartz faced. But it's more useful to look at his case as a bellwether: this is what prosecutors will do with CFAA, if given the chance. Accordingly, Congress must rein it in.

Another bellwether of the types of overreach that are allowed -- this time on the privacy front -- stems from the case of David Petraeus, who last year resigned as director of the CIA, after an FBI agent reported that Petraeus was having an affair.

The bureau's cyber-crime investigators had considered the case to be closed. But FBI agent Frederick W. Humphries II, who'd gotten the investigation started on behalf of an acquaintance, feared that they were covering up a national security incident. He reported Petraeus' extramarital affair to Rep. Dave Reichert (R-Wash.), who told House majority leader Eric Cantor (R-Va.), who informed F.B.I. director Robert S. Mueller III.

Cue scandal, and Petraeus' resignation. Yet no related charges have been filed in the case against Petraeus. Likewise, no charges have been filed against his mistress -- and biographer -- Paula Blackwell, who'd been accused in the press of improperly handling classified information and of stalking socialite Jill Kelley, whom she saw as a rival for Petraeus' attentions. Finally, no charges have been filed against the FBI agent, because he apparently broke no privacy laws.

To be clear, the privacy missteps in the case involved a rank-and-file FBI agent who wasn't part of the cyber investigation and evidently didn't understand that affairs aren't a national security matter. In fact, since CIA regulations require employees to disclose any affairs they're having to the agency -- to mitigate blackmail threats -- it's likely that the relevant agency officials knew full well what Petraeus was doing.

But the FBI agent's airing of the affair kicked off a media storm and investigation that supposedly then found evidence that Kelley was having an affair with the top U.S. commander in Afghanistan, Gen. John Allen, to whom she'd supposedly sent 30,000 emails. Except that Kelley and Allen said none of it was true. Closing the matter, Army investigators cleared Allen of any misconduct.

Adding insult to privacy injury for the Kelley family is that they'd reached out to FBI agent Humphries in the first place. "We simply appealed for help after receiving anonymous e-mails with threats of blackmail and extortion," Jill Kelley and her husband Scott wrote in a recent Washington Post opinion piece. "When the harassment escalated to acts of cyberstalking in the early fall, we were, naturally, terrified for the safety of our daughters and ourselves. Consequently, we did what Americans are taught to do in dangerous situations: sought the help of law enforcement."

Unsurprisingly, the Kelleys are calling on Congress to get tough on what law enforcement agencies and government officials can do with people's private information -- for starters, by expanding the Electronic Communications Privacy Act (ECPA) to safeguard how people's emails can be accessed or disclosed. "Ours is a story of how the simple act of quietly appealing to legal authorities for advice on how to stop anonymous harassing e-mails can result in a victim being re-victimized," the Kelleys wrote.

Who re-victimized the Kelleys? Interestingly, they've accused government officials of leaking their names and the existence of private correspondence, along with failing to safeguard their identities even though they had reported a potential cyber-stalking crime.

Broadwell's reportedly threatening emails to Kelley aside, isn't the real crime the fact that unnamed authorities violated no privacy or data-mishandling laws, while leaving behind a trail of allegations and innuendo?

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)

In many ways, this only scratches the surface. While laws like CFAA and ECPA need to be reformed, so too may federal wiretap laws, compliance regimes, breach notification laws, laws of war, and others. It's too bad legislators are dangerously unprepared for cyberlaw.

Ok, so noone in this scandal did anything legally wrong. But, one portion deserves to be presented more clearly. A rank and file agent that disregarded the expertise and perhaps authority of his department's cyber crime unit in closing the case and continued to use bureau resources (including his time) to pursue an investigation for a friend. Abuse of office, misuse of resources, at least questionable if not prosecutible.

Looks like the only result was a political one without delving into where our senior military commanders focus is if they can deal with 30000 emails from an obviously well connected socialite. Kind of leads one to view Jack Nicholson's speech to Tom Cruise as a sort of premonition "All you did today was weaken a nation" (considering there are certainly others capable of filling the office).

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.